cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3005
Views
10
Helpful
6
Replies

EEM Scripting - Action only if Syslog is seen once in a given time frame

jamiewils0n
Level 1
Level 1

I have the following EEM config:

event manager applet EEM_BGP_DOWN

  event syslog pattern "%LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback100, changed state to down"

  action 1.0 cli command "enable"

  action 1.1 cli command "configure term"

  action 1.2 cli command "interface loopback99"

  action 1.3 cli command "shut"

 

I would like to change this script so that it:

Counts how many matching syslog messages have been seen in the last 60 seconds

If the message count = 1 then action the script, if its greater than 1 then it should  not action the script.

 

Many Thanks

6 Replies 6

Robert Radford
Level 1
Level 1

Try,

event manager applet EEM_BGP_DOWN
 event syslog pattern "%LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback100, changed state to down" ratelimit 60
 action 1.0 cli command "enable"
 action 1.1 cli command "configure term"
 action 1.2 cli command "interface loopback99"
 action 1.3 cli command "shut"

Hello Robert,

I want to track a similar event: if BGP neighbor goes down 5 times within 5 minutes (300s) then I will execute a command (remove neighbor).

What do you think about this:

event manager applet BGP_Errors 
 event syslog occurs 5 pattern "%BGP-5-ADJCHANGE: neighbor 82.76.44.20 Down BGP Notification sent" period 300
 action 1.0 cli command "enable"
 action 1.1 cli command "conf t"
 action 2.0 cli command "router bgp 19421"
 action 2.1 cli command "neighbor 82.76.44.20 shutdown"
 action 3.0 syslog msg "Due to excessive BGP errors neighbor 82.76.44.20 has been SHUT"

 

I currently don't have rate-limit on my 12.4(24)T2 so I am concerned if it will respect the condition timing wise.

Here are the tests I did in GNS:

 

Log Buffer (8192 bytes):

*Mar  1 00:08:34.423: %SYS-5-CONFIG_I: Configured from console by console
*Mar  1 00:08:39.355: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Up
*Mar  1 00:09:09.503: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Down BGP Notification s                                                                             ent
*Mar  1 00:09:09.503: %BGP-3-NOTIFICATION: sent to neighbor 1.1.1.1 4/0 (hold ti                                                                             me expired) 0 bytes
*Mar  1 00:09:42.647: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Up
*Mar  1 00:10:12.787: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Down BGP Notification s                                                                             ent
*Mar  1 00:10:12.787: %BGP-3-NOTIFICATION: sent to neighbor 1.1.1.1 4/0 (hold ti                                                                             me expired) 0 bytes
*Mar  1 00:10:41.251: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Up
*Mar  1 00:11:11.423: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Down BGP Notification s                                                                             ent
*Mar  1 00:11:11.423: %BGP-3-NOTIFICATION: sent to neighbor 1.1.1.1 4/0 (hold ti                                                                             me expired) 0 bytes
*Mar  1 00:11:45.379: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Up
*Mar  1 00:12:16.135: %BGP-5-ADJCHANGE: neighbor 1.1.1.1 Down BGP Notification s                                                                             ent
*Mar  1 00:12:16.139: %BGP-3-NOTIFICATION: sent to neighbor 1.1.1.1 4/0 (hold ti                                                                             me expired) 0 bytes
*Mar  1 00:12:16.295: %HA_EM-6-LOG: BGP_Errors: Due to excessive BGP errors neig                                                                             hbor 1.1.1.1 has been SHUT

And of course the result:

router bgp 19421
 no synchronization
 bgp log-neighbor-changes
 timers bgp 10 30
 neighbor 82.76.44.20  remote-as 6843
 neighbor82.76.44.20 shutdown
 neighbor 82.76.44.20 ebgp-multihop 2

 

Any additional thoughts about this before adding it into production?

 

Florin,

That looks ok and you have tested to validate that it is what you want to happen.

The only thing I would do is add the "end" and "exit" statements to the cli commands to ensure that the VTY lines are released.

 

EG:

event manager applet BGP_Errors
 event syslog occurs 5 pattern "%BGP-5-ADJCHANGE: neighbor 82.76.44.20 Down BGP Notification sent" period 300
 action 1.0 cli command "enable"
 action 1.1 cli command "conf t"
 action 2.0 cli command "router bgp 19421"
 action 2.1 cli command "neighbor 82.76.44.20 shutdown"
 action 3.0 cli command "end"
 action 4.0 cli command "exit"

 action 5.0 syslog msg "Due to excessive BGP errors neighbor 82.76.44.20 has been SHUT"

Thanks for the tip Robert!

You're welcome. Good luck.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco